Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
dealmaker.exe

Overview

General Information

Sample name:dealmaker.exe
Analysis ID:1628063
MD5:8120a4e61d68e524edc4ed931b97b5d7
SHA1:13d0f69cb8d2ad7766f2f0d13407378d408e38e9
SHA256:0a0ff79985dac18a76f923b158589efb77a77ca2c8be396434d5c77d8fe87534
Tags:exeLummaStealeruser-threatcat_ch
Infos:

Detection

LummaC Stealer
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected LummaC Stealer
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Joe Sandbox ML detected suspicious sample
Sample uses string decryption to hide its real strings
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Costura Assembly Loader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to read the clipboard data
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • dealmaker.exe (PID: 7324 cmdline: "C:\Users\user\Desktop\dealmaker.exe" MD5: 8120A4E61D68E524EDC4ED931B97B5D7)
    • dealmaker.exe (PID: 7660 cmdline: "C:\Users\user\Desktop\dealmaker.exe" MD5: 8120A4E61D68E524EDC4ED931B97B5D7)
  • cleanup

Malware Configuration

Threatname: LummaC

{"C2 url": ["citxresearchers.icu", "hardswarehub.today", "gadgethgfub.icu", "hardrwarehaven.run", "techmindzs.live", "codxefusion.top", "quietswtreams.life", "techspherxe.top"], "Build id": "c2CoW0--toze"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000002.00000002.2843301407.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
      00000000.00000002.2298130212.00000000052C0000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
        00000000.00000002.2292310122.0000000003957000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
          00000000.00000002.2285004892.0000000002721000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
            Process Memory Space: dealmaker.exe PID: 7324JoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
              Click to see the 1 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              2.2.dealmaker.exe.400000.0.unpackJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
                2.2.dealmaker.exe.400000.0.raw.unpackJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
                  0.2.dealmaker.exe.52c0000.8.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                    0.2.dealmaker.exe.52c0000.8.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security

                      Sigma Signatures

                      No Sigma rule has matched

                      Suricata Signatures

                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2025-03-03T14:44:35.451005+010020283713Unknown Traffic192.168.2.549746149.154.167.99443TCP
                      2025-03-03T14:44:36.541926+010020283713Unknown Traffic192.168.2.549752104.21.24.112443TCP
                      2025-03-03T14:44:58.229525+010020283713Unknown Traffic192.168.2.549876104.21.24.112443TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2025-03-03T14:44:57.760302+010020546531A Network Trojan was detected192.168.2.549752104.21.24.112443TCP
                      2025-03-03T14:45:30.718737+010020546531A Network Trojan was detected192.168.2.549876104.21.24.112443TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2025-03-03T14:44:57.760302+010020498361A Network Trojan was detected192.168.2.549752104.21.24.112443TCP

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus detection for URL or domain
                      Source: gadgethgfub.icuAvira URL Cloud: Label: malware
                      Source: techmindzs.liveAvira URL Cloud: Label: malware
                      Source: techspherxe.topAvira URL Cloud: Label: malware
                      Found malware configuration
                      Source: 00000000.00000002.2292310122.0000000003957000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: LummaC {"C2 url": ["citxresearchers.icu", "hardswarehub.today", "gadgethgfub.icu", "hardrwarehaven.run", "techmindzs.live", "codxefusion.top", "quietswtreams.life", "techspherxe.top"], "Build id": "c2CoW0--toze"}
                      Multi AV Scanner detection for submitted file
                      Source: dealmaker.exeVirustotal: Detection: 30%Perma Link
                      Source: dealmaker.exeReversingLabs: Detection: 21%
                      Joe Sandbox ML detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
                      Sample uses string decryption to hide its real strings
                      Source: 00000000.00000002.2292310122.0000000003957000.00000004.00000800.00020000.00000000.sdmpString decryptor: citxresearchers.icu
                      Source: 00000000.00000002.2292310122.0000000003957000.00000004.00000800.00020000.00000000.sdmpString decryptor: hardswarehub.today
                      Source: 00000000.00000002.2292310122.0000000003957000.00000004.00000800.00020000.00000000.sdmpString decryptor: gadgethgfub.icu
                      Source: 00000000.00000002.2292310122.0000000003957000.00000004.00000800.00020000.00000000.sdmpString decryptor: hardrwarehaven.run
                      Source: 00000000.00000002.2292310122.0000000003957000.00000004.00000800.00020000.00000000.sdmpString decryptor: techmindzs.live
                      Source: 00000000.00000002.2292310122.0000000003957000.00000004.00000800.00020000.00000000.sdmpString decryptor: codxefusion.top
                      Source: 00000000.00000002.2292310122.0000000003957000.00000004.00000800.00020000.00000000.sdmpString decryptor: quietswtreams.life
                      Source: 00000000.00000002.2292310122.0000000003957000.00000004.00000800.00020000.00000000.sdmpString decryptor: techspherxe.top
                      Source: dealmaker.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                      Source: unknownHTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.5:49746 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.21.24.112:443 -> 192.168.2.5:49752 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.21.24.112:443 -> 192.168.2.5:49876 version: TLS 1.2
                      Source: dealmaker.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: dealmaker.exe, 00000000.00000002.2292310122.0000000003721000.00000004.00000800.00020000.00000000.sdmp, dealmaker.exe, 00000000.00000002.2292310122.0000000003854000.00000004.00000800.00020000.00000000.sdmp, dealmaker.exe, 00000000.00000002.2299297297.0000000005BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: dealmaker.exe, 00000000.00000002.2292310122.0000000003721000.00000004.00000800.00020000.00000000.sdmp, dealmaker.exe, 00000000.00000002.2292310122.0000000003854000.00000004.00000800.00020000.00000000.sdmp, dealmaker.exe, 00000000.00000002.2299297297.0000000005BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: protobuf-net.pdbSHA256}Lq source: dealmaker.exe, 00000000.00000002.2292310122.0000000003721000.00000004.00000800.00020000.00000000.sdmp, dealmaker.exe, 00000000.00000002.2298502632.0000000005360000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: protobuf-net.pdb source: dealmaker.exe, 00000000.00000002.2292310122.0000000003721000.00000004.00000800.00020000.00000000.sdmp, dealmaker.exe, 00000000.00000002.2298502632.0000000005360000.00000004.08000000.00040000.00000000.sdmp
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 4x nop then jmp 05C6FD98h0_2_05C6FCE0
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 4x nop then movzx esi, byte ptr [esp+eax-67915A82h]2_2_0044989A
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 4x nop then mov word ptr [esi], cx2_2_0042E030
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 4x nop then movzx esi, byte ptr [esp+ecx]2_2_0044B030
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 4x nop then cmp dword ptr [edi+edx*8], 93A82FD1h2_2_004260D0
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 4x nop then movzx esi, byte ptr [esp+ecx+0Ch]2_2_0040C8E0
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 4x nop then movzx edx, byte ptr [edi+ecx-19ACD460h]2_2_0042C8E5
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 4x nop then movzx edx, byte ptr [ebx+eax+0Ah]2_2_0042C8E5
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 4x nop then push ebp2_2_00432093
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 4x nop then mov word ptr [ebx], cx2_2_0041D898
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], F7D6D3F6h2_2_0044D0B0
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 4x nop then jmp eax2_2_00444940
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax+18h]2_2_0040D167
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 93A82FD1h2_2_0041F176
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 4x nop then mov dword ptr [esp+28h], ecx2_2_00436103
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+10h]2_2_00421900
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 4x nop then mov word ptr [eax], cx2_2_00421900
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx+08h]2_2_00432100
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 4x nop then movzx ebp, byte ptr [esp+ecx-2DA3129Fh]2_2_0042B920
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 4x nop then mov word ptr [eax], cx2_2_0042B920
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 4x nop then movzx esi, byte ptr [esp+ecx]2_2_0044B120
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 4x nop then movzx eax, byte ptr [esp+ebx+0Eh]2_2_0040C130
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 4x nop then movzx esi, byte ptr [esp+ecx]2_2_0044B139
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 4x nop then movzx esi, byte ptr [esp+ecx]2_2_0044B13B
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 4x nop then mov byte ptr [esi], cl2_2_00436986
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 4x nop then mov byte ptr [esi], cl2_2_0043633B
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 4x nop then movzx edx, byte ptr [ebp+eax+00h]2_2_00410A60
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]2_2_0040A220
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 4x nop then movzx ecx, word ptr [edi+esi*4]2_2_0040A220
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 4x nop then cmp byte ptr [esi+eax+01h], 00000000h2_2_00430220
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 4x nop then movzx esi, byte ptr [esp+ebp+02h]2_2_00428AC0
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax+741DDFE2h]2_2_00447AC0
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-0CFF799Ah]2_2_004482C0
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-0CFF799Ah]2_2_004482C0
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx+778E6F5Ch]2_2_00412AEF
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax+00000268h]2_2_00412AEF
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 4x nop then movzx ebx, byte ptr [esp+eax-03FFFFF3h]2_2_00426A80
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 4x nop then movzx esi, byte ptr [esp+ecx]2_2_0044B2A0
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 4x nop then movsx eax, byte ptr [ebp+ecx+00h]2_2_0044AAB1
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax+34h]2_2_0042F340
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 4x nop then movzx edi, byte ptr [esp+ebx]2_2_00445B1F
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 4x nop then mov byte ptr [esi], cl2_2_0043633B
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 4x nop then mov word ptr [eax], cx2_2_00431BC6
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx-467C15BAh]2_2_004353CF
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 4x nop then mov dword ptr [esp+04h], ecx2_2_00443BD0
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 4x nop then movzx esi, byte ptr [esp+ecx]2_2_0044B3E0
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 4x nop then mov word ptr [edx], ax2_2_0042E3ED
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 4x nop then movzx eax, byte ptr [esp+ecx+14h]2_2_0040C440
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 4x nop then mov byte ptr [ebx], cl2_2_0042241C
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+04h]2_2_00444CD0
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx+74h]2_2_00435CAD
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 1ED597A4h2_2_00447D60
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 4x nop then movsx eax, byte ptr [esi+ecx]2_2_0041AD70
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 93A82FD1h2_2_00428570
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 4x nop then cmp dword ptr [edx+ecx*8], 7A542AABh2_2_0044C500
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-56h]2_2_0041FDD0
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 4x nop then movzx esi, byte ptr [esp+ecx+09h]2_2_0041FDD0
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 4x nop then mov byte ptr [esi], al2_2_004375E8
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 4x nop then mov byte ptr [esi], al2_2_004375EE
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 4x nop then mov word ptr [eax], cx2_2_00431D9A
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax-144FFED6h]2_2_0042EDB0
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 4x nop then mov eax, dword ptr [esp+50h]2_2_00422E60
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 4x nop then mov word ptr [ecx], di2_2_00422E60
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 4x nop then cmp word ptr [eax+ecx+02h], 0000h2_2_0041E6F5
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 4x nop then mov byte ptr [ebx], cl2_2_00436F43
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax-66C9643Ah]2_2_0040EF50
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 4x nop then movsx eax, byte ptr [edx+ecx]2_2_0040EF50
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-0CFF798Ah]2_2_00420750
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-0CFF7966h]2_2_00420750
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 4x nop then cmp dword ptr [ebx+edi*8], 93A82FD1h2_2_00447F70
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 4x nop then movzx ebx, byte ptr [esp+esi+6BB68D3Fh]2_2_00425F10
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 4x nop then cmp word ptr [eax+ecx+02h], 0000h2_2_0041DCC1
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 4x nop then movzx edi, byte ptr [esp+ecx+000002A0h]2_2_00427F20
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 4x nop then mov word ptr [esi], cx2_2_00427F20
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 4x nop then mov ebx, dword ptr [edi+04h]2_2_00432F20
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 4x nop then mov word ptr [eax], dx2_2_0041C7C0
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 4x nop then movzx esi, byte ptr [edi+eax]2_2_0040FFFC

                      Networking

                      barindex
                      Suricata IDS alerts for network traffic
                      Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49752 -> 104.21.24.112:443
                      Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49752 -> 104.21.24.112:443
                      Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49876 -> 104.21.24.112:443
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorURLs: citxresearchers.icu
                      Source: Malware configuration extractorURLs: hardswarehub.today
                      Source: Malware configuration extractorURLs: gadgethgfub.icu
                      Source: Malware configuration extractorURLs: hardrwarehaven.run
                      Source: Malware configuration extractorURLs: techmindzs.live
                      Source: Malware configuration extractorURLs: codxefusion.top
                      Source: Malware configuration extractorURLs: quietswtreams.life
                      Source: Malware configuration extractorURLs: techspherxe.top
                      Source: Joe Sandbox ViewIP Address: 149.154.167.99 149.154.167.99
                      Source: Joe Sandbox ViewIP Address: 149.154.167.99 149.154.167.99
                      Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                      Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49746 -> 149.154.167.99:443
                      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49752 -> 104.21.24.112:443
                      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49876 -> 104.21.24.112:443
                      Source: global trafficHTTP traffic detected: GET /+_037kpzzjYBkNWI6 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: t.me
                      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: citxresearchers.icu
                      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 47Host: citxresearchers.icu
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: global trafficHTTP traffic detected: GET /+_037kpzzjYBkNWI6 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: t.me
                      Source: global trafficDNS traffic detected: DNS query: t.me
                      Source: global trafficDNS traffic detected: DNS query: citxresearchers.icu
                      Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: citxresearchers.icu
                      Source: dealmaker.exe, 00000000.00000002.2285004892.0000000002721000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://james.newtonking.com/projects/json
                      Source: dealmaker.exe, 00000000.00000002.2285004892.0000000002721000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: dealmaker.exeString found in binary or memory: http://www.newtonsoft.com/jsonschema
                      Source: dealmaker.exe, 00000000.00000002.2285004892.0000000002721000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.cloudinary.com
                      Source: dealmaker.exe, 00000002.00000002.2844308756.00000000011A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://citxresearchers.icu/
                      Source: dealmaker.exe, 00000002.00000002.2844308756.00000000011A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://citxresearchers.icu/3
                      Source: dealmaker.exe, 00000002.00000002.2844308756.00000000011A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://citxresearchers.icu/api
                      Source: dealmaker.exe, 00000002.00000002.2844308756.00000000011A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://citxresearchers.icu/apiK
                      Source: dealmaker.exe, 00000002.00000002.2844308756.00000000011A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://citxresearchers.icu/pi
                      Source: dealmaker.exe, 00000002.00000002.2844308756.00000000011A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://citxresearchers.icu/y
                      Source: dealmaker.exe, 00000000.00000002.2292310122.0000000003721000.00000004.00000800.00020000.00000000.sdmp, dealmaker.exe, 00000000.00000002.2298502632.0000000005360000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-net
                      Source: dealmaker.exe, 00000000.00000002.2292310122.0000000003721000.00000004.00000800.00020000.00000000.sdmp, dealmaker.exe, 00000000.00000002.2298502632.0000000005360000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-netJ
                      Source: dealmaker.exe, 00000000.00000002.2292310122.0000000003721000.00000004.00000800.00020000.00000000.sdmp, dealmaker.exe, 00000000.00000002.2298502632.0000000005360000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-neti
                      Source: dealmaker.exe, 00000000.00000002.2292310122.0000000003721000.00000004.00000800.00020000.00000000.sdmp, dealmaker.exe, 00000000.00000002.2298502632.0000000005360000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
                      Source: dealmaker.exe, 00000000.00000002.2292310122.0000000003721000.00000004.00000800.00020000.00000000.sdmp, dealmaker.exe, 00000000.00000002.2298502632.0000000005360000.00000004.08000000.00040000.00000000.sdmp, dealmaker.exe, 00000000.00000002.2285004892.0000000002721000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/14436606/23354
                      Source: dealmaker.exe, 00000000.00000002.2292310122.0000000003721000.00000004.00000800.00020000.00000000.sdmp, dealmaker.exe, 00000000.00000002.2298502632.0000000005360000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/2152978/23354
                      Source: dealmaker.exe, 00000002.00000002.2844036589.000000000116C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/
                      Source: dealmaker.exeString found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49876
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49876 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
                      Source: unknownHTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.5:49746 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.21.24.112:443 -> 192.168.2.5:49752 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.21.24.112:443 -> 192.168.2.5:49876 version: TLS 1.2
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_0043E2F0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowRect,GlobalUnlock,CloseClipboard,2_2_0043E2F0
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_0043E2F0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowRect,GlobalUnlock,CloseClipboard,2_2_0043E2F0
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 0_2_00B723D20_2_00B723D2
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 0_2_00B72D900_2_00B72D90
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 0_2_00B730C80_2_00B730C8
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 0_2_00B713080_2_00B71308
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 0_2_00B71A580_2_00B71A58
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 0_2_00B724D60_2_00B724D6
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 0_2_00B72E410_2_00B72E41
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 0_2_00B71A920_2_00B71A92
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 0_2_00B71A4A0_2_00B71A4A
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 0_2_00B71B090_2_00B71B09
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 0_2_00B71FE10_2_00B71FE1
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 0_2_05C500400_2_05C50040
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 0_2_05C500330_2_05C50033
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 0_2_05C6EA380_2_05C6EA38
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_0044A0062_2_0044A006
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_0040B9402_2_0040B940
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_00449FFF2_2_00449FFF
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_0040E7B02_2_0040E7B0
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_004010402_2_00401040
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_0043C0602_2_0043C060
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_004168152_2_00416815
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_0043581A2_2_0043581A
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_0042E0302_2_0042E030
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_0044B0302_2_0044B030
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_0042C0C02_2_0042C0C0
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_0043B0C12_2_0043B0C1
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_004260D02_2_004260D0
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_004418E12_2_004418E1
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_0042C8E52_2_0042C8E5
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_004258F02_2_004258F0
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_0044C8802_2_0044C880
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_0043D8972_2_0043D897
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_0041D8982_2_0041D898
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_004358A52_2_004358A5
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_004449402_2_00444940
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_0044C1602_2_0044C160
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_0041F1762_2_0041F176
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_0042B9202_2_0042B920
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_0044B1202_2_0044B120
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_004429352_2_00442935
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_0044B1392_2_0044B139
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_0044B13B2_2_0044B13B
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_004111C02_2_004111C0
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_004239C02_2_004239C0
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_004491C62_2_004491C6
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_004421F82_2_004421F8
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_004369862_2_00436986
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_0041718D2_2_0041718D
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_0044B9B02_2_0044B9B0
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_00410A602_2_00410A60
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_004499BC2_2_004499BC
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_004102772_2_00410277
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_0040A2202_2_0040A220
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_004302202_2_00430220
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_00408A302_2_00408A30
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_00447AC02_2_00447AC0
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_004482C02_2_004482C0
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_00415AE42_2_00415AE4
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_00426A802_2_00426A80
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_0044B2A02_2_0044B2A0
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_0041D2AF2_2_0041D2AF
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_0040DAB02_2_0040DAB0
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_0044AAB12_2_0044AAB1
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_0042F3402_2_0042F340
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_004343502_2_00434350
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_004243602_2_00424360
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_00437B702_2_00437B70
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_00402B102_2_00402B10
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_00445B1F2_2_00445B1F
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_00449B3B2_2_00449B3B
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_00443BD02_2_00443BD0
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_0041BBD92_2_0041BBD9
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_0044B3E02_2_0044B3E0
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_0042E3ED2_2_0042E3ED
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_0043ABEC2_2_0043ABEC
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_0040BBF02_2_0040BBF0
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_004453902_2_00445390
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_004094402_2_00409440
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_0040C4402_2_0040C440
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_0042E4442_2_0042E444
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_00442C602_2_00442C60
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_0042AC0E2_2_0042AC0E
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_00444CD02_2_00444CD0
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_004364D92_2_004364D9
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_0042DCF22_2_0042DCF2
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_0044BCF02_2_0044BCF0
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_0041CC892_2_0041CC89
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_004285702_2_00428570
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_00423D002_2_00423D00
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_0044C5002_2_0044C500
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_004035102_2_00403510
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_00407D302_2_00407D30
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_004275D02_2_004275D0
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_004245E02_2_004245E0
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_004395AB2_2_004395AB
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_0042EDB02_2_0042EDB0
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_0041E64E2_2_0041E64E
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_00421E592_2_00421E59
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_00422E602_2_00422E60
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_004456702_2_00445670
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_0041167D2_2_0041167D
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_0043A6012_2_0043A601
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_004176202_2_00417620
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_004236202_2_00423620
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_00442EC02_2_00442EC0
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_0043168D2_2_0043168D
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_0042F69C2_2_0042F69C
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_00408EA02_2_00408EA0
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_00403EB02_2_00403EB0
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_004437402_2_00443740
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_0040EF502_2_0040EF50
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_004207502_2_00420750
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_0043576D2_2_0043576D
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_00447F702_2_00447F70
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_00427F202_2_00427F20
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_0044B7302_2_0044B730
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_00430FC02_2_00430FC0
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_004327C02_2_004327C0
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_0041BFD92_2_0041BFD9
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_004307DB2_2_004307DB
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_00406F862_2_00406F86
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_0044278C2_2_0044278C
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_0040F78A2_2_0040F78A
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_004047922_2_00404792
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: String function: 0040B210 appears 50 times
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: String function: 0041AE20 appears 105 times
                      Source: dealmaker.exe, 00000000.00000002.2283976200.000000000076E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs dealmaker.exe
                      Source: dealmaker.exe, 00000000.00000002.2292310122.0000000003721000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs dealmaker.exe
                      Source: dealmaker.exe, 00000000.00000002.2292310122.0000000003721000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs dealmaker.exe
                      Source: dealmaker.exe, 00000000.00000002.2292310122.0000000003854000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs dealmaker.exe
                      Source: dealmaker.exe, 00000000.00000000.2050007840.00000000002C6000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameCvfzhl.exe\ vs dealmaker.exe
                      Source: dealmaker.exe, 00000000.00000000.2050007840.0000000000112000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: get_DiscardOriginalFilename vs dealmaker.exe
                      Source: dealmaker.exe, 00000000.00000000.2050007840.0000000000112000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: set_DiscardOriginalFilename vs dealmaker.exe
                      Source: dealmaker.exe, 00000000.00000000.2050007840.0000000000112000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: IndexOfInsertRemoveAtget_Codecset_Codecget_BitRateset_BitRateget_Frequencyset_Frequencyget_Channelsset_Channelsget_ChannelLayoutset_ChannelLayoutget_Errorset_Errorget_TopLeftset_TopLeftget_Sizeset_Sizeget_PublicIdsset_PublicIdsget_Customset_Customget_Facesset_Facesget_Deletedset_Deletedget_NextCursorset_NextCursorget_Partialset_Partialget_Messageset_Messageget_Resultset_Resultget_Transformationset_Transformationget_Formatset_Formatget_Lengthset_Lengthget_Idset_Idget_Urlset_Urlget_SecureUrlset_SecureUrlget_RekognitionFaceset_RekognitionFaceget_Uriset_Uriget_SecureUriset_SecureUriset_Typeget_Eagerset_Eagerget_Statusset_Statusget_BatchIdset_BatchIdget_BoundingBoxset_BoundingBoxget_Confidenceset_Confidenceget_Ageset_Ageget_Smileset_Smileget_Glassesset_Glassesget_Sunglassesset_Sunglassesget_Beardset_Beardget_Mustacheset_Mustacheget_EyeClosedset_EyeClosedget_MouthOpenWideset_MouthOpenWideget_Beautyset_Beautyget_Genderset_Genderget_Raceset_Raceget_Emotionset_Emotionget_Qualityset_Qualityget_Poseset_Poseget_EyeLeftPositionset_EyeLeftPositionget_EyeRightPositionset_EyeRightPositionget_EyeLeft_Leftset_EyeLeft_Leftget_EyeLeft_Rightset_EyeLeft_Rightget_EyeLeft_Upset_EyeLeft_Upget_EyeLeft_Downset_EyeLeft_Downget_EyeRight_Leftset_EyeRight_Leftget_EyeRight_Rightset_EyeRight_Rightget_EyeRight_Upset_EyeRight_Upget_EyeRight_Downset_EyeRight_Downget_NosePositionset_NosePositionget_NoseLeftset_NoseLeftget_NoseRightset_NoseRightget_MouthLeftset_MouthLeftget_MouthRightset_MouthRightget_MouthUpset_MouthUpget_MouthDownset_MouthDownget_Nameset_Nameget_Pathset_Pathget_Foldersset_Foldersm_resourceTypeget_PublicIdset_PublicIdget_Versionset_Versionget_Createdset_Createdget_Widthset_Widthget_Heightset_Heightget_Exifset_Exifget_Metadataset_Metadataget_Colorsset_Colorsget_Derivedset_Derivedget_Tagsset_Tagsget_Moderationset_Moderationget_Contextset_Contextget_Phashset_Phashget_Predominantset_Predominantget_Coordinatesset_Coordinatesget_Infoset_Infoget_AccessControlset_AccessControlget_Strictset_Strictget_Usedset_Usedget_Unsignedset_Unsignedget_Settingsset_Settingsget_Xset_Xget_Yset_Yget_DeleteTokenset_DeleteTokenget_Detectionset_Detectionm_resourceTypesget_Resourcesset_Resourcesget_Transformationsset_Transformationsget_Presetsset_PresetsStatusKindResponseUpdatedAtget_Googleset_Googleget_Publishedset_Publishedget_Failedset_Failedget_UploadIdset_UploadIdget_Signatureset_Signatureget_ResourceTypeset_ResourceTypeget_CreatedAtset_CreatedAtget_Backupset_Backupget_ModerationStatusset_ModerationStatusImageget_TotalCountset_TotalCountget_Timeset_Timeget_CssUriset_CssUriget_SecureCssUriset_SecureCssUriget_ImageUriset_ImageUriget_JsonUriset_JsonUriget_ImageInfosset_ImageInfosget_Updatedset_Updatedget_DisallowPublicIdset_DisallowPublicIdget_Invalidateset_Invalidateget_UseFilenameset_UseFilenameget_UniqueFilenameset_UniqueFilenameget_DiscardOriginalFilenameset_DiscardOriginalFilenameget_NotificationUrlset_NotificationUrlget_Proxyset_Proxyget_Folderset_Folderget_Overwriteset_Overwriteget_RawC
                      Source: dealmaker.exe, 00000000.00000000.2050007840.0000000000112000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: DiscardOriginalFilename vs dealmaker.exe
                      Source: dealmaker.exe, 00000000.00000002.2294964586.0000000004E00000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameKkwfcimq.dll" vs dealmaker.exe
                      Source: dealmaker.exe, 00000000.00000002.2299297297.0000000005BD0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs dealmaker.exe
                      Source: dealmaker.exe, 00000000.00000002.2298502632.0000000005360000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs dealmaker.exe
                      Source: dealmaker.exe, 00000000.00000002.2285004892.0000000002721000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs dealmaker.exe
                      Source: dealmaker.exeBinary or memory string: get_DiscardOriginalFilename vs dealmaker.exe
                      Source: dealmaker.exeBinary or memory string: set_DiscardOriginalFilename vs dealmaker.exe
                      Source: dealmaker.exeBinary or memory string: IndexOfInsertRemoveAtget_Codecset_Codecget_BitRateset_BitRateget_Frequencyset_Frequencyget_Channelsset_Channelsget_ChannelLayoutset_ChannelLayoutget_Errorset_Errorget_TopLeftset_TopLeftget_Sizeset_Sizeget_PublicIdsset_PublicIdsget_Customset_Customget_Facesset_Facesget_Deletedset_Deletedget_NextCursorset_NextCursorget_Partialset_Partialget_Messageset_Messageget_Resultset_Resultget_Transformationset_Transformationget_Formatset_Formatget_Lengthset_Lengthget_Idset_Idget_Urlset_Urlget_SecureUrlset_SecureUrlget_RekognitionFaceset_RekognitionFaceget_Uriset_Uriget_SecureUriset_SecureUriset_Typeget_Eagerset_Eagerget_Statusset_Statusget_BatchIdset_BatchIdget_BoundingBoxset_BoundingBoxget_Confidenceset_Confidenceget_Ageset_Ageget_Smileset_Smileget_Glassesset_Glassesget_Sunglassesset_Sunglassesget_Beardset_Beardget_Mustacheset_Mustacheget_EyeClosedset_EyeClosedget_MouthOpenWideset_MouthOpenWideget_Beautyset_Beautyget_Genderset_Genderget_Raceset_Raceget_Emotionset_Emotionget_Qualityset_Qualityget_Poseset_Poseget_EyeLeftPositionset_EyeLeftPositionget_EyeRightPositionset_EyeRightPositionget_EyeLeft_Leftset_EyeLeft_Leftget_EyeLeft_Rightset_EyeLeft_Rightget_EyeLeft_Upset_EyeLeft_Upget_EyeLeft_Downset_EyeLeft_Downget_EyeRight_Leftset_EyeRight_Leftget_EyeRight_Rightset_EyeRight_Rightget_EyeRight_Upset_EyeRight_Upget_EyeRight_Downset_EyeRight_Downget_NosePositionset_NosePositionget_NoseLeftset_NoseLeftget_NoseRightset_NoseRightget_MouthLeftset_MouthLeftget_MouthRightset_MouthRightget_MouthUpset_MouthUpget_MouthDownset_MouthDownget_Nameset_Nameget_Pathset_Pathget_Foldersset_Foldersm_resourceTypeget_PublicIdset_PublicIdget_Versionset_Versionget_Createdset_Createdget_Widthset_Widthget_Heightset_Heightget_Exifset_Exifget_Metadataset_Metadataget_Colorsset_Colorsget_Derivedset_Derivedget_Tagsset_Tagsget_Moderationset_Moderationget_Contextset_Contextget_Phashset_Phashget_Predominantset_Predominantget_Coordinatesset_Coordinatesget_Infoset_Infoget_AccessControlset_AccessControlget_Strictset_Strictget_Usedset_Usedget_Unsignedset_Unsignedget_Settingsset_Settingsget_Xset_Xget_Yset_Yget_DeleteTokenset_DeleteTokenget_Detectionset_Detectionm_resourceTypesget_Resourcesset_Resourcesget_Transformationsset_Transformationsget_Presetsset_PresetsStatusKindResponseUpdatedAtget_Googleset_Googleget_Publishedset_Publishedget_Failedset_Failedget_UploadIdset_UploadIdget_Signatureset_Signatureget_ResourceTypeset_ResourceTypeget_CreatedAtset_CreatedAtget_Backupset_Backupget_ModerationStatusset_ModerationStatusImageget_TotalCountset_TotalCountget_Timeset_Timeget_CssUriset_CssUriget_SecureCssUriset_SecureCssUriget_ImageUriset_ImageUriget_JsonUriset_JsonUriget_ImageInfosset_ImageInfosget_Updatedset_Updatedget_DisallowPublicIdset_DisallowPublicIdget_Invalidateset_Invalidateget_UseFilenameset_UseFilenameget_UniqueFilenameset_UniqueFilenameget_DiscardOriginalFilenameset_DiscardOriginalFilenameget_NotificationUrlset_NotificationUrlget_Proxyset_Proxyget_Folderset_Folderget_Overwriteset_Overwriteget_RawC
                      Source: dealmaker.exeBinary or memory string: DiscardOriginalFilename vs dealmaker.exe
                      Source: dealmaker.exeBinary or memory string: OriginalFilenameCvfzhl.exe\ vs dealmaker.exe
                      Source: dealmaker.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                      Source: dealmaker.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: dealmaker.exe, --.csCryptographic APIs: 'TransformFinalBlock'
                      Source: dealmaker.exe, ---.csCryptographic APIs: 'CreateDecryptor'
                      Source: 0.2.dealmaker.exe.5bd0000.10.raw.unpack, ITaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask'
                      Source: 0.2.dealmaker.exe.5bd0000.10.raw.unpack, TaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
                      Source: 0.2.dealmaker.exe.5bd0000.10.raw.unpack, Task.csTask registration methods: 'RegisterChanges', 'CreateTask'
                      Source: 0.2.dealmaker.exe.5bd0000.10.raw.unpack, TaskService.csTask registration methods: 'CreateFromToken'
                      Source: 0.2.dealmaker.exe.3855d70.0.raw.unpack, ITaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask'
                      Source: 0.2.dealmaker.exe.3855d70.0.raw.unpack, TaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
                      Source: 0.2.dealmaker.exe.3855d70.0.raw.unpack, TaskSecurity.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
                      Source: 0.2.dealmaker.exe.3855d70.0.raw.unpack, TaskSecurity.csSecurity API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
                      Source: 0.2.dealmaker.exe.3855d70.0.raw.unpack, TaskFolder.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                      Source: 0.2.dealmaker.exe.5bd0000.10.raw.unpack, Task.csSecurity API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                      Source: 0.2.dealmaker.exe.3855d70.0.raw.unpack, TaskPrincipal.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.dealmaker.exe.3855d70.0.raw.unpack, User.csSecurity API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
                      Source: 0.2.dealmaker.exe.3855d70.0.raw.unpack, Task.csSecurity API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                      Source: 0.2.dealmaker.exe.5bd0000.10.raw.unpack, TaskPrincipal.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.dealmaker.exe.5bd0000.10.raw.unpack, TaskFolder.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                      Source: 0.2.dealmaker.exe.5bd0000.10.raw.unpack, User.csSecurity API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
                      Source: 0.2.dealmaker.exe.5bd0000.10.raw.unpack, TaskSecurity.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
                      Source: 0.2.dealmaker.exe.5bd0000.10.raw.unpack, TaskSecurity.csSecurity API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
                      Source: classification engineClassification label: mal100.troj.evad.winEXE@3/0@2/2
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_0043C060 CoCreateInstance,2_2_0043C060
                      Source: C:\Users\user\Desktop\dealmaker.exeMutant created: NULL
                      Source: C:\Users\user\Desktop\dealmaker.exeMutant created: \Sessions\1\BaseNamedObjects\Topbyggqj
                      Source: dealmaker.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: dealmaker.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                      Source: C:\Users\user\Desktop\dealmaker.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: dealmaker.exeVirustotal: Detection: 30%
                      Source: dealmaker.exeReversingLabs: Detection: 21%
                      Source: C:\Users\user\Desktop\dealmaker.exeFile read: C:\Users\user\Desktop\dealmaker.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\dealmaker.exe "C:\Users\user\Desktop\dealmaker.exe"
                      Source: C:\Users\user\Desktop\dealmaker.exeProcess created: C:\Users\user\Desktop\dealmaker.exe "C:\Users\user\Desktop\dealmaker.exe"
                      Source: C:\Users\user\Desktop\dealmaker.exeProcess created: C:\Users\user\Desktop\dealmaker.exe "C:\Users\user\Desktop\dealmaker.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\dealmaker.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\dealmaker.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\dealmaker.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\dealmaker.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\dealmaker.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\dealmaker.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\dealmaker.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\dealmaker.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\dealmaker.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\dealmaker.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\dealmaker.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\dealmaker.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\dealmaker.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\dealmaker.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\dealmaker.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\dealmaker.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\dealmaker.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\dealmaker.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\dealmaker.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\Desktop\dealmaker.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\Desktop\dealmaker.exeSection loaded: webio.dllJump to behavior
                      Source: C:\Users\user\Desktop\dealmaker.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\Desktop\dealmaker.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\dealmaker.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\dealmaker.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\dealmaker.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\dealmaker.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\Desktop\dealmaker.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Users\user\Desktop\dealmaker.exeSection loaded: schannel.dllJump to behavior
                      Source: C:\Users\user\Desktop\dealmaker.exeSection loaded: mskeyprotect.dllJump to behavior
                      Source: C:\Users\user\Desktop\dealmaker.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\dealmaker.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Users\user\Desktop\dealmaker.exeSection loaded: ncryptsslp.dllJump to behavior
                      Source: C:\Users\user\Desktop\dealmaker.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\dealmaker.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\dealmaker.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\dealmaker.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\dealmaker.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\dealmaker.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\dealmaker.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\Desktop\dealmaker.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\Desktop\dealmaker.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                      Source: C:\Users\user\Desktop\dealmaker.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: dealmaker.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: dealmaker.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                      Source: dealmaker.exeStatic file information: File size 1785344 > 1048576
                      Source: dealmaker.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x1b3200
                      Source: dealmaker.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: dealmaker.exe, 00000000.00000002.2292310122.0000000003721000.00000004.00000800.00020000.00000000.sdmp, dealmaker.exe, 00000000.00000002.2292310122.0000000003854000.00000004.00000800.00020000.00000000.sdmp, dealmaker.exe, 00000000.00000002.2299297297.0000000005BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: dealmaker.exe, 00000000.00000002.2292310122.0000000003721000.00000004.00000800.00020000.00000000.sdmp, dealmaker.exe, 00000000.00000002.2292310122.0000000003854000.00000004.00000800.00020000.00000000.sdmp, dealmaker.exe, 00000000.00000002.2299297297.0000000005BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: protobuf-net.pdbSHA256}Lq source: dealmaker.exe, 00000000.00000002.2292310122.0000000003721000.00000004.00000800.00020000.00000000.sdmp, dealmaker.exe, 00000000.00000002.2298502632.0000000005360000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: protobuf-net.pdb source: dealmaker.exe, 00000000.00000002.2292310122.0000000003721000.00000004.00000800.00020000.00000000.sdmp, dealmaker.exe, 00000000.00000002.2298502632.0000000005360000.00000004.08000000.00040000.00000000.sdmp

                      Data Obfuscation

                      barindex
                      .NET source code contains potential unpacker
                      Source: dealmaker.exe, --.cs.Net Code: _000E System.AppDomain.Load(byte[])
                      Source: dealmaker.exe, ---.cs.Net Code: _000E System.Reflection.Assembly.Load(byte[])
                      Source: dealmaker.exe, ---.cs.Net Code: _000E
                      Source: 0.2.dealmaker.exe.5360000.9.raw.unpack, TypeModel.cs.Net Code: TryDeserializeList
                      Source: 0.2.dealmaker.exe.5360000.9.raw.unpack, ListDecorator.cs.Net Code: Read
                      Source: 0.2.dealmaker.exe.5360000.9.raw.unpack, TypeSerializer.cs.Net Code: CreateInstance
                      Source: 0.2.dealmaker.exe.5360000.9.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateInstance
                      Source: 0.2.dealmaker.exe.5360000.9.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateIfNull
                      Source: 0.2.dealmaker.exe.5bd0000.10.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                      Source: 0.2.dealmaker.exe.5bd0000.10.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                      Source: 0.2.dealmaker.exe.5bd0000.10.raw.unpack, XmlSerializationHelper.cs.Net Code: ReadObjectProperties
                      Source: 0.2.dealmaker.exe.3855d70.0.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                      Source: 0.2.dealmaker.exe.3855d70.0.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                      Source: 0.2.dealmaker.exe.3855d70.0.raw.unpack, XmlSerializationHelper.cs.Net Code: ReadObjectProperties
                      Yara detected Costura Assembly Loader
                      Source: Yara matchFile source: 0.2.dealmaker.exe.52c0000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.dealmaker.exe.52c0000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.2298130212.00000000052C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2285004892.0000000002721000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: dealmaker.exe PID: 7324, type: MEMORYSTR
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 0_2_05C56501 push edi; iretd 0_2_05C56506
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_00455894 push ds; iretd 2_2_0045589F
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_00451C66 push 00000000h; retf 2_2_00451C6C
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_0044F533 push es; ret 2_2_0044F549
                      Source: dealmaker.exeStatic PE information: section name: .text entropy: 7.667741493333287
                      Source: C:\Users\user\Desktop\dealmaker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\dealmaker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\dealmaker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\dealmaker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\dealmaker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\dealmaker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\dealmaker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\dealmaker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\dealmaker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\dealmaker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\dealmaker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\dealmaker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\dealmaker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\dealmaker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\dealmaker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\dealmaker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\dealmaker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\dealmaker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\dealmaker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\dealmaker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\dealmaker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\dealmaker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\dealmaker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\dealmaker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\dealmaker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\dealmaker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\dealmaker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\dealmaker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\dealmaker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\dealmaker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\dealmaker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\dealmaker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\dealmaker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Yara detected AntiVM3
                      Source: Yara matchFile source: Process Memory Space: dealmaker.exe PID: 7324, type: MEMORYSTR
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                      Source: dealmaker.exe, 00000000.00000002.2285004892.0000000002721000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: C:\Users\user\Desktop\dealmaker.exeMemory allocated: B30000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\dealmaker.exeMemory allocated: 2720000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\dealmaker.exeMemory allocated: 2440000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\dealmaker.exe TID: 7672Thread sleep time: -30000s >= -30000sJump to behavior
                      Source: dealmaker.exe, 00000000.00000002.2294964586.0000000004E00000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: cP2bKXVVLCI4VMCiWNS
                      Source: dealmaker.exe, 00000000.00000002.2285004892.0000000002721000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware|VIRTUAL|A M I|Xen
                      Source: dealmaker.exe, 00000002.00000002.2844068008.0000000001170000.00000004.00000020.00020000.00000000.sdmp, dealmaker.exe, 00000002.00000002.2844308756.00000000011A4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: dealmaker.exe, 00000000.00000002.2285004892.0000000002721000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Microsoft|VMWare|Virtual
                      Source: dealmaker.exe, 00000002.00000002.2844308756.00000000011A4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW?
                      Source: C:\Users\user\Desktop\dealmaker.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\dealmaker.exeCode function: 2_2_00449770 LdrInitializeThunk,2_2_00449770
                      Source: C:\Users\user\Desktop\dealmaker.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\dealmaker.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\dealmaker.exeMemory allocated: page read and write | page guardJump to behavior
                      Source: C:\Users\user\Desktop\dealmaker.exeProcess created: C:\Users\user\Desktop\dealmaker.exe "C:\Users\user\Desktop\dealmaker.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\dealmaker.exeQueries volume information: C:\Users\user\Desktop\dealmaker.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\dealmaker.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\dealmaker.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\dealmaker.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information

                      barindex
                      Yara detected LummaC Stealer
                      Source: Yara matchFile source: 2.2.dealmaker.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.dealmaker.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000002.2843301407.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2292310122.0000000003957000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: sslproxydump.pcap, type: PCAP

                      Remote Access Functionality

                      barindex
                      Yara detected LummaC Stealer
                      Source: Yara matchFile source: 2.2.dealmaker.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.dealmaker.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000002.2843301407.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2292310122.0000000003957000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: sslproxydump.pcap, type: PCAP

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                      Scheduled Task/Job                      		1
                      Scheduled Task/Job                      		11
                      Process Injection                      		2
                      Virtualization/Sandbox Evasion                      		OS Credential Dumping11
                      Security Software Discovery                      		Remote Services11
                      Archive Collected Data                      		11
                      Encrypted Channel                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault AccountsScheduled Task/Job1
                      DLL Side-Loading                      		1
                      Scheduled Task/Job                      		1
                      Disable or Modify Tools                      		LSASS Memory2
                      Virtualization/Sandbox Evasion                      		Remote Desktop Protocol2
                      Clipboard Data                      		1
                      Ingress Tool Transfer                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                      DLL Side-Loading                      		11
                      Process Injection                      		Security Account Manager1
                      Process Discovery                      		SMB/Windows Admin SharesData from Network Shared Drive3
                      Non-Application Layer Protocol                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                      Deobfuscate/Decode Files or Information                      		NTDS12
                      System Information Discovery                      		Distributed Component Object ModelInput Capture114
                      Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script4
                      Obfuscated Files or Information                      		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts12
                      Software Packing                      		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                      DLL Side-Loading                      		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.